Here’s how to fix the MacOS High Sierra security flaw

Alex Kidman 29 November 2017 NEWS

mac_security_shutterstock_738

It's possible for malcontents to easily access a locked down Mac, but thankfully it's also easy to block them.

A critical flaw in the latest release of Apple's macOS, High Sierra can allow anyone to access a theoretically locked down system at the root level with no password whatsoever.

The flaw relates to the way that the root level user is set up by default on High Sierra Macs, and could leave systems compromised if the user hasn't set a default password. Which, if you were unaware that your Mac even had a root admin user by default, would probably be pretty much everyone.

If you're running High Sierra you can test for the flaw yourself by trying to login with the username "root", and hitting the enter key (i.e with no password) several times.

The same flaw applies at the user login screen after a Mac is rebooted, which is quite the critical flaw. Admittedly, someone would have to get physical access to your Mac in order to implement this bypass technique, but that would also cover stolen Macs in any circumstance.

That's terrifying. How can I protect myself?

Apple says that it's working on a fix for High Sierra Macs to eliminate the flaw, but it's yet to appear. It's a timely reminder that it's always worth installing security updates to your computer (whether it's a PC or a Mac), so if you're behind in this aspect it would be wise to get updated.

In the meantime, what you need to do is actually set a root user password. You can test for the root user by heading to System Preferences>Users, and then clicking on the lock icon. You'll be prompted for a username and password. Enter "root" in the username field, and hit return a couple of times, at which point you'll most likely end up in full control of your Mac (as would anyone else). Scary stuff, but paradoxically you need the superuser access that the root account has in order to set a new root users password.

As per Apple's own instructions on how to set that password, do the following:

  • Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
  • Click lock icon, then enter an administrator name and password.
  • Click Login Options.
  • Click Join (or Edit).
  • Click Open Directory Utility.
  • Click lock icon in the Directory Utility window, then enter an administrator name and password.
  • From the menu bar in Directory Utility, choose Edit > Change Root Password.
  • Enter a root password when prompted.

The flaw only works when the root superuser account has a password that is blank, so by setting a password, you should block off any miscreants trying to gain access to and control of your Mac. It's generally a poor idea to actually use the root account on a regular basis, however, so once you're done changing the password, you should log back into your regular account.

Apple has long prided itself on the security of MacOS and its underlying Unix heritage, even going so far as to use that as a selling point for its Mac lines back in its Mac vs PC advertising days.

Maybe Apple should dust off Justin Long one more time to redress this in light of this not-at-all-trivial flaw.

Latest technology headlines


Follow us for all the latest mobile phone news and deals


Save with these technology deals

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms and Conditions and Privacy Policy.
Ask a question
Go to site